How Browsers' Explanations Impact Misconceptions About Private
Total Page:16
File Type:pdf, Size:1020Kb
Your Secrets Are Safe: How Browsers’ Explanations Impact Misconceptions About Private Browsing Mode Yuxi Wu, Panya Gupta, Miranda Wei, Yasemin Acary, Sascha Fahly, Blase Ur University of Chicago, yLeibniz University Hannover {yuxiwu,panyagupta,weim,blase}@uchicago.edu, {acar,fahl}@sec.uni-hannover.de ABSTRACT the history bar, auto-filled forms, or search suggestions. Private All major web browsers include a private browsing mode that does modes thus help users hide browsing sessions from people sharing not store browsing history, cookies, or temporary files across brows- a device with them. ing sessions. Unfortunately, users have misconceptions about what While these private modes aim not to save user data locally, this mode does. Many factors likely contribute to these misconcep- many threats to privacy are outside their scope. For example, pri- tions. In this paper, we focus on browsers’ disclosures, or their in- vate mode does not aim to prevent tracking over the network. While browser explanations of private browsing mode. In a 460-participant browser cookies do not persist across private browsing sessions, online study, each participant saw one of 13 different disclosures this is a minor barrier to tracking by third-party advertising and (the desktop and mobile disclosures of six popular browsers, plus a analytics companies, who can employ more sophisticated finger- control). Based on the disclosure they saw, participants answered printing techniques [14, 17]. Furthermore, implementations are questions about what would happen in twenty browsing scenarios imperfect, often leaving some traces of local activity [1, 36, 47]. capturing previously documented misconceptions. We found that Despite the limited protections private modes provide, some browsers’ disclosures fail to correct the majority of the misconcep- users overestimate these protections [13, 20]. This overestimation tions we tested. These misconceptions included beliefs that private reaches far; Eric Schmidt, former CEO of Google, once stated, “If browsing mode would prevent geolocation, advertisements, viruses, you’re concerned, for whatever reason, you do not wish to be and tracking by both the websites visited and the network provider. tracked by federal and state authorities, my strong recommendation Furthermore, participants who saw certain disclosures were more is to use incognito mode, and that’s what people do” [38]. likely to have misconceptions about private browsing’s impact on In this paper, we take initial steps toward unpacking these mis- targeted advertising, the persistence of lists of downloaded files, conceptions by conducting a user study of how browsers’ own and tracking by ISPs, employers, and governments. explanations of private mode impact users’ understanding of what these modes do. Browsers differ in how they explain private mode; CCS CONCEPTS even the mode’s name differs (e.g., “Incognito Mode” in Chrome, “InPrivate” in Edge, and “Private Browsing Mode” in Firefox). We • Security and privacy → Usability in security and privacy; focus on the disclosure, or full-page explanation browsers present Browser security; when users open a new window in private mode (the catch-all term KEYWORDS we use across browsers). Notably, disclosures often differ between a given browser’s desktop and mobile versions. Private browsing, Web browser privacy, Usable privacy, User study, We conducted a between-subjects online study in which 460 par- Incognito mode, Private browsing mode ticipants each saw one of 13 different disclosures (the desktop and ACM Reference Format: mobile disclosures of six popular browsers, plus a control disclosure) Yuxi Wu, Panya Gupta, Miranda Wei, Yasemin Acary, Sascha Fahly, Blase rebranded for a hypothetical new browser. Participants answered Ur. 2018. Your Secrets Are Safe: How Browsers’ Explanations Impact Mis- questions about what would happen in twenty different browsing conceptions About Private Browsing Mode. In WWW 2018: The 2018 Web scenarios. In some of these scenarios, private mode protects the Conference, April 23–27, 2018, Lyon, France. ACM, New York, NY, USA, user’s privacy, while the other scenarios encapsulate previously 10 pages. https://doi.org/10.1145/3178876.3186088 documented misconceptions [13, 20] about private mode. 1 INTRODUCTION We found that participants had many misconceptions, including beliefs that private mode would prevent geolocation, protect from Each of the five web browsers widely used today — Chrome, Edge, malware, eliminate advertisements, and prevent tracking by the Firefox, Safari, and Opera — offers a private mode that stops stor- websites visited and network providers. The particular disclosure ing browsing history and caching data across sessions. Unwanted participants saw impacted their misconceptions. Compared to a information from the user’s browsing history will not appear in meaninglessly vague control condition, the current and previous This paper is published under the Creative Commons Attribution 4.0 International Chrome desktop disclosure led participants to answer more sce- (CC BY 4.0) license. Authors reserve their rights to disseminate the work on their narios correctly; no other disclosure we tested had a significant personal and corporate Web sites with the appropriate attribution. effect. Participants who saw certain disclosures were more likely to WWW 2018, April 23–27, 2018, Lyon, France © 2018 IW3C2 (International World Wide Web Conference Committee), published have misconceptions about private mode’s impact on specific sce- under Creative Commons CC BY 4.0 License. narios: targeted advertising, the persistence of lists of downloaded ACM ISBN 978-1-4503-5639-8/18/04. files, and tracking by Internet service providers (ISPs), employers, https://doi.org/10.1145/3178876.3186088 WWW 2018, April 23–27, 2018, Lyon, France Yuxi Wu, Panya Gupta, Miranda Wei, Yasemin Acary, Sascha Fahly, Blase Ur and governments. Phrases used in some disclosures (e.g., “tracking save the list of files downloaded in private mode. All browsers can protection”) appear to contribute to misconceptions. access existing bookmarks in private mode, and new bookmarks While prior work has documented misconceptions about private saved in private mode are available in future sessions [22, 31, 34]. mode, our study is the first to focus on the role browsers’ disclosures Browsers differ somewhat in their private modes. Chrome and play. These disclosures, which users see each time they open a Edge do not save preferences (e.g., pop-up blocking, download loca- new private browsing window, are the main vector for disabusing tions) from private sessions, while Firefox and Opera do. Browsers users of misconceptions that might derive from loaded names like similarly differ in how they handle browser extensions. Edge com- “private browsing mode” and “incognito mode” [24, 39, 48]. While pletely disables extensions, while Firefox and Safari leave them we found that some browsers’ disclosures are better than others, all enabled by default. Chrome and Opera disable extensions by de- disclosures we tested failed to correct important misconceptions. fault, but let users manually enable them. 2 BACKGROUND AND RELATED WORK 2.2 Previously Documented Misconceptions We first summarize features of current browsers’ private modes. We then discuss prior work on misconceptions about private mode To create the browsing scenarios for our study, we gathered mis- and work on privacy communication more broadly. conceptions about private mode previously documented in the academic literature and news media. Two prior user studies have 2.1 Features of Private Browsing focused on misconceptions about private mode. Gao et al. surveyed 200 Mechanical Turk workers, examining qualitatively why partic- All major web browsers include a private mode designed to protect ipants used private browsing modes and what they believed the against local privacy threats with physical access to a machine [1]. modes do [20]. More recently, the search engine DuckDuckGo con- These modes aim to remove local copies of browsing history, tem- ducted a demographically representative sample of 5,710 Americans, porary files, and cookies from a machine. That said, the implemen- documenting seven misconceptions about private browsing [13]. tation of these features is imperfect [1]. Xu et al. demonstrated that Prior work has found that some users incorrectly believe private sophisticated attackers can still gain access to information from pri- mode shields them from tracking by visited websites, online adver- vate sessions [47]. Similarly, Satvat et al. found vulnerabilities that tising companies, the government, and ISPs [13, 20, 24, 27, 39], and enable sophisticated attackers and malware to steal information some are also under the misconception that websites cannot view from private mode [36]. While such attacks are important to overall IP addresses in private mode, thereby preventing geolocation [13]. browser security, they are not the focus of our work. Instead, we Furthermore, some users believe that private mode can control what study how users’ expectations compare to private mode’s intended third parties save [24]. For instance, users may not consider that protections. To determine these intended protections, we examined companies can record browsing histories when users are logged both browser-specific documentation and prior research on private into their accounts, regardless of browsing mode [13, 16]. Users modes. For potential behaviors that were not formally